41b05c60dd
In order to verify signatures, users could upload their certificates and public keys using these routes: -> for public keys: /v2/_zot/ext/mgmt?resource=signatures&tool=cosign -> for certificates: /v2/_zot/ext/mgmt?resource=signatures&tool=notation&truststoreType=ca&truststoreName=name Then the public keys will be stored under $rootdir/_cosign and the certificates will be stored under $rootdir/_notation/truststore/x509/$truststoreType/$truststoreName. Also, for notation case, the "truststores" field of $rootir/_notation/trustpolicy.json file will be updated with a new entry "$truststoreType:$truststoreName". Also based on the uploaded files, the information about the signatures validity will be updated periodically. Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2.9 KiB
mgmt
mgmt component provides an endpoint for configuration management
Response depends on the user privileges:
- unauthenticated and authenticated users will get a stripped config
- admins will get full configuration with passwords hidden (not implemented yet)
| Supported queries | Input | Output | Description |
|---|---|---|---|
| Get current configuration | None | config json | Get current zot configuration |
| Upload a certificate | certificate | None | Add certificate for verifying notation signatures |
| Upload a public key | public key | None | Add public key for verifying cosign signatures |
General usage
The mgmt endpoint accepts as a query parameter what resource is targeted by the request and then all other required parameters for the specified resource. The default value of this
query parameter is config.
Get current configuration
Sample request
curl http://localhost:8080/v2/_zot/ext/mgmt | jq
Sample response
{
"distSpecVersion": "1.1.0-dev",
"binaryType": "-sync-search-scrub-metrics-lint-ui-mgmt",
"http": {
"auth": {
"htpasswd": {},
"bearer": {
"realm": "https://auth.myreg.io/auth/token",
"service": "myauth"
}
}
}
}
If ldap or htpasswd are enabled mgmt will return {"htpasswd": {}} indicating that clients can authenticate with basic auth credentials.
If any key is present under 'auth' key, in the mgmt response, it means that particular authentication method is enabled.
Configure zot for verifying signatures
If the resource is signatures then the mgmt endpoint accepts as a query parameter the tool that corresponds to the uploaded file and then all other required parameters for the specified tool.
Upload a certificate
Sample request
| Tool | Parameter | Parameter Type | Parameter Description |
|---|---|---|---|
| notation | truststoreType | string | The type of the truststore. This parameter is optional and its default value is ca |
| truststoreName | string | The name of the truststore |
curl --data-binary @certificate.crt -X POST http://localhost:8080/v2/_zot/ext/mgmt?resource=signature&tool=notation&truststoreType=ca&truststoreName=newtruststore
As a result of this request, the uploaded file will be stored in _notation/truststore/x509/{truststoreType}/{truststoreName} directory under $rootDir. And truststores field from _notation/trustpolicy.json file will be updated.
Upload a public key
Sample request
| Tool | Parameter | Parameter Type | Parameter Description |
|---|---|---|---|
| cosign |
curl --data-binary @publicKey.pub -X POST http://localhost:8080/v2/_zot/ext/mgmt?resource=signature&tool=cosign
As a result of this request, the uploaded file will be stored in _cosign directory under $rootDir.